magpie: add hardening
This commit is contained in:
@@ -27,6 +27,19 @@
|
|||||||
boot.kernel.sysctl = {
|
boot.kernel.sysctl = {
|
||||||
"net.core.default_qdisc" = "fq";
|
"net.core.default_qdisc" = "fq";
|
||||||
"net.ipv4.tcp_congestion_control" = "bbr";
|
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||||
|
"kernel.kptr_restrict" = 2;
|
||||||
|
"kernel.dmesg_restrict" = 1;
|
||||||
|
"kernel.kexec_load_disabled" = 1;
|
||||||
|
"kernel.yama.ptrace_scope" = 1;
|
||||||
|
"net.ipv4.conf.all.rp_filter" = 1;
|
||||||
|
"net.ipv4.conf.default.rp_filter" = 1;
|
||||||
|
"net.ipv4.conf.all.log_martians" = 1;
|
||||||
|
"net.ipv4.conf.all.accept_redirects" = 0;
|
||||||
|
"net.ipv4.conf.default.accept_redirects" = 0;
|
||||||
|
"net.ipv4.conf.all.send_redirects" = 0;
|
||||||
|
"net.ipv4.conf.default.send_redirects" = 0;
|
||||||
|
"net.ipv6.conf.all.accept_redirects" = 0;
|
||||||
|
"net.ipv6.conf.default.accept_redirects" = 0;
|
||||||
};
|
};
|
||||||
|
|
||||||
boot.initrd = {
|
boot.initrd = {
|
||||||
@@ -49,7 +62,7 @@
|
|||||||
# Set your time zone.
|
# Set your time zone.
|
||||||
time.timeZone = "Europe/Berlin";
|
time.timeZone = "Europe/Berlin";
|
||||||
|
|
||||||
users.users.root.initialHashedPassword = "";
|
users.users.root.hashedPassword = "!";
|
||||||
users.users.root.openssh.authorizedKeys.keys = [
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
(builtins.readFile ../nixy/ssh_pubkey)
|
(builtins.readFile ../nixy/ssh_pubkey)
|
||||||
];
|
];
|
||||||
@@ -108,10 +121,14 @@
|
|||||||
certificateScheme = "acme-nginx";
|
certificateScheme = "acme-nginx";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.journald.extraConfig = ''SystemMaxUse=50M '';
|
services.journald.extraConfig = ''SystemMaxUse=500M '';
|
||||||
services.logind.settings.Login = { KillUserProcesses = true; };
|
services.logind.settings.Login = { KillUserProcesses = true; };
|
||||||
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
|
services.openssh.settings = {
|
||||||
|
PermitRootLogin = "prohibit-password";
|
||||||
|
PasswordAuthentication = false;
|
||||||
|
KbdInteractiveAuthentication = false;
|
||||||
|
};
|
||||||
services.openssh.listenAddresses = [
|
services.openssh.listenAddresses = [
|
||||||
{
|
{
|
||||||
addr = "10.100.0.1"; # wireguard
|
addr = "10.100.0.1"; # wireguard
|
||||||
@@ -119,6 +136,13 @@
|
|||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
services.fail2ban = {
|
||||||
|
enable = true;
|
||||||
|
maxretry = 5;
|
||||||
|
bantime = "1h";
|
||||||
|
ignoreIP = [ "10.100.0.0/24" ];
|
||||||
|
};
|
||||||
|
|
||||||
services.opendkim = {
|
services.opendkim = {
|
||||||
enable = true;
|
enable = true;
|
||||||
selector = "mail";
|
selector = "mail";
|
||||||
@@ -308,6 +332,12 @@
|
|||||||
defaults.email = "asmir.abdulahovic@gmail.com";
|
defaults.email = "asmir.abdulahovic@gmail.com";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.sudo.execWheelOnly = true;
|
||||||
|
|
||||||
|
environment.memoryAllocator.provider = "jemalloc";
|
||||||
|
|
||||||
|
systemd.coredump.enable = false;
|
||||||
|
|
||||||
sops = {
|
sops = {
|
||||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
secrets = {
|
secrets = {
|
||||||
@@ -341,14 +371,13 @@
|
|||||||
80
|
80
|
||||||
443
|
443
|
||||||
587
|
587
|
||||||
2049
|
]; # http, https, submission
|
||||||
]; # http, mail, mail, nfs
|
|
||||||
allowedUDPPorts = [
|
allowedUDPPorts = [
|
||||||
443
|
443
|
||||||
51820
|
51820
|
||||||
]; # mail, wireguard
|
]; # http3, wireguard
|
||||||
allowPing = true;
|
allowPing = true;
|
||||||
logRefusedConnections = lib.mkDefault false;
|
logRefusedConnections = lib.mkDefault true;
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.nat = {
|
networking.nat = {
|
||||||
|
|||||||
Reference in New Issue
Block a user